We are in the process of migrating from LDAP -> LDAPS, on one of our primary domains.
Due to the fact that we dont have an PKI / CA issuer present in the enviroment, we have used Powershell to create a self-signed certificate.
This also means that in the cert chain, our CA and Certificate is the same / the CA is not present.
So we also disabled the “SSL Verify hostname”, on the Directory sync settings page at duo.com
Currently we are facing the issue, that we cant enable LDAPS, since the website reports the error “The directory server credentials were rejected.”
In the authproxy.txt logfile, its breaks with an OpenSSL error: “OpenSSL.SSL.Error: [(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)]”
According to DUO´s documentation, we have tried the following:
1. Upgrading to the latest DUO build
2. Tried with an *.domain.local certificate
3. Tried with an DCName.domain.local certificate (https://help.duo.com/s/article/2220?language=en_US)
4. Trusted the selfsigned certificate, in the Windows Cert store on the server, where DUO Auth proxy is installed.
So the million dollar question:
How can we setup LDAPS from the Auth Proxy -> Domain controller, while using an self signed certificate?